Posts on Cloud,DevOps, Citrix,VMware and others. Also tracking my Continuous learning from Wintel to open source and development.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.

Saturday, March 12, 2016

Chef Client 12.8.1 Release [feedly]

We just released Chef Client version 12.8.1 to the chef downloads site. Highlights of this release include:

Support for OpenSSL validation of FIPS

Federal Information Processing Standards (FIPS) is a United States government computer security standard that specifies security requirements for cryptography. The current version of the standard is FIPS 140-2. The chef-client can be configured to allow OpenSSL to enforce FIPS-validated security during a chef-client run. This will disable cryptography in OpenSSL that is explicitly disallowed in FIPS-validated software, including certain ciphers and hashing algorithms. Any attempt to use any disallowed cryptography will cause the chef-client to throw an exception during a chef-client run.

Note:Chef uses MD5 hashes to uniquely identify files that are stored on the Chef server. MD5 is used only to generate a unique hash identifier and is not used for any cryptographic purpose.

Notes about FIPS:

May only be enabled for nodes running on Microsoft Windows and Enterprise Linux platforms

Should should only be enabled for environments that require FIPS 140-2 compliance

May not be enabled for any version of the chef-client earlier than 12.8

Enable FIPS Mode

Allowing OpenSSL to enforce FIPS-validated security may be enabled by using any of the following ways:

Set the fips configuration setting to true in the client.rb or knife.rb files

Set the --fips command-line option when running any knife command or the chef-client executable

Set the --fips command-line option when bootstrapping a node using the knife bootstrap command

Command Option

The following command-line option may be used to with a knife or chef-client executable command:

Ohai auto-detects hosts for Azure and EC-2 instances

Support a 'gem' DSL method for cookbook metadata to create a dependency on a rubygem. The gem will be installed via chef_gem after all the cookbooks are synchronized but before any other cookbook loading is done.